private X509CertPairStoreSelector( X509CertPairStoreSelector o) { this.certPair = o.CertPair; this.forwardSelector = o.ForwardSelector; this.reverseSelector = o.ReverseSelector; }
private static X509Certificate GetCertificate(SignerInformation signer, IX509Store cmsCertificates) { X509Certificate cert = null; // Create a selector with the information necessary to // find the signer certificate X509CertStoreSelector sel = new X509CertStoreSelector(); sel.Issuer = signer.SignerID.Issuer; sel.SerialNumber = signer.SignerID.SerialNumber; // Try find a match IList certificatesFound = new ArrayList( cmsCertificates.GetMatches(sel) ); if (certificatesFound.Count > 0) // Match found { // Load certificate from CMS Console.WriteLine("Loading signer's certificate from CMS..."); cert = (X509Certificate)certificatesFound[0]; } else { // Load certificate from file Console.WriteLine("Loading signer's certificate from file..."); ReadCertificate("..\\..\\example.cer"); } return cert; }
private void baseTest() { // CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC"); X509CertificateParser certParser = new X509CertificateParser(); X509CrlParser crlParser = new X509CrlParser(); // initialise CertStore X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin); X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin); X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin); X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin); X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin); IList certList = new ArrayList(); certList.Add(rootCert); certList.Add(interCert); certList.Add(finalCert); IList crlList = new ArrayList(); crlList.Add(rootCrl); crlList.Add(interCrl); // CollectionCertStoreParameters ccsp = new CollectionCertStoreParameters(list); // CertStore store = CertStore.getInstance("Collection", ccsp, "BC"); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); // NB: Month is 1-based in .NET //DateTime validDate = new DateTime(2008, 9, 4, 14, 49, 10).ToUniversalTime(); DateTime validDate = new DateTime(2008, 9, 4, 5, 49, 10);//.ToUniversalTime(); //Searching for rootCert by subjectDN without CRL ISet trust = new HashSet(); trust.Add(new TrustAnchor(rootCert, null)); // CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX","BC"); PkixCertPathBuilder cpb = new PkixCertPathBuilder(); X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Subject = finalCert.SubjectDN; PkixBuilderParameters parameters = new PkixBuilderParameters(trust, targetConstraints); // parameters.addCertStore(store); parameters.AddStore(x509CertStore); parameters.AddStore(x509CrlStore); parameters.Date = new DateTimeObject(validDate); PkixCertPathBuilderResult result = cpb.Build(parameters); PkixCertPath path = result.CertPath; if (path.Certificates.Count != 2) { Fail("wrong number of certs in baseTest path"); } }
public X509CertStoreSelector(X509CertStoreSelector o) { authorityKeyIdentifier = o.AuthorityKeyIdentifier; basicConstraints = o.BasicConstraints; certificate = o.Certificate; certificateValid = o.CertificateValid; extendedKeyUsage = o.ExtendedKeyUsage; issuer = o.Issuer; keyUsage = o.KeyUsage; policy = o.Policy; privateKeyValid = o.PrivateKeyValid; serialNumber = o.SerialNumber; subject = o.Subject; subjectKeyIdentifier = o.SubjectKeyIdentifier; subjectPublicKey = o.SubjectPublicKey; subjectPublicKeyAlgID = o.SubjectPublicKeyAlgID; }
public X509CertStoreSelector(X509CertStoreSelector o) { this.authorityKeyIdentifier = o.AuthorityKeyIdentifier; this.basicConstraints = o.BasicConstraints; this.certificate = o.Certificate; this.certificateValid = o.CertificateValid; this.extendedKeyUsage = o.ExtendedKeyUsage; this.issuer = o.Issuer; this.keyUsage = o.KeyUsage; this.policy = o.Policy; this.privateKeyValid = o.PrivateKeyValid; this.serialNumber = o.SerialNumber; this.subject = o.Subject; this.subjectKeyIdentifier = o.SubjectKeyIdentifier; this.subjectPublicKey = o.SubjectPublicKey; this.subjectPublicKeyAlgID = o.SubjectPublicKeyAlgID; }
public X509CertStoreSelector( X509CertStoreSelector o) { this.authorityKeyIdentifier = o.AuthorityKeyIdentifier; this.basicConstraints = o.BasicConstraints; this.certificate = o.Certificate; this.certificateValid = o.CertificateValid; this.extendedKeyUsage = o.ExtendedKeyUsage; this.issuer = o.Issuer; this.keyUsage = o.KeyUsage; this.policy = o.Policy; this.privateKeyValid = o.PrivateKeyValid; this.serialNumber = o.SerialNumber; this.subject = o.Subject; this.subjectKeyIdentifier = o.SubjectKeyIdentifier; this.subjectPublicKey = o.SubjectPublicKey; this.subjectPublicKeyAlgID = o.SubjectPublicKeyAlgID; }
private void certPairTest() { X509CertificateParser certParser = new X509CertificateParser(); X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin); X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin); X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin); // Testing CollectionCertStore generation from List X509CertificatePair pair1 = new X509CertificatePair(rootCert, interCert); IList certList = new ArrayList(); certList.Add(pair1); certList.Add(new X509CertificatePair(interCert, finalCert)); IX509Store certStore = X509StoreFactory.Create( "CertificatePair/Collection", new X509CollectionStoreParameters(certList)); X509CertPairStoreSelector selector = new X509CertPairStoreSelector(); X509CertStoreSelector fwSelector = new X509CertStoreSelector(); fwSelector.SerialNumber = rootCert.SerialNumber; fwSelector.Subject = rootCert.IssuerDN; selector.ForwardSelector = fwSelector; IList col = new ArrayList(certStore.GetMatches(selector)); if (col.Count != 1 || !col.Contains(pair1)) { Fail("failed pair1 test"); } col = new ArrayList(certStore.GetMatches(null)); if (col.Count != 2) { Fail("failed null test"); } }
private static X509CertStoreSelector CloneSelector( X509CertStoreSelector s) { return(s == null ? null : (X509CertStoreSelector)s.Clone()); }
public override void PerformTest() { X509CertificateParser certParser = new X509CertificateParser(); X509CrlParser crlParser = new X509CrlParser(); X509Certificate rootCert = certParser.ReadCertificate(CertPathTest.rootCertBin); X509Certificate interCert = certParser.ReadCertificate(CertPathTest.interCertBin); X509Certificate finalCert = certParser.ReadCertificate(CertPathTest.finalCertBin); X509Crl rootCrl = crlParser.ReadCrl(CertPathTest.rootCrlBin); X509Crl interCrl = crlParser.ReadCrl(CertPathTest.interCrlBin); // Testing CollectionCertStore generation from List IList certList = new ArrayList(); certList.Add(rootCert); certList.Add(interCert); certList.Add(finalCert); IX509Store certStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); // set default to be the same as for SUN X500 name X509Name.DefaultReverse = true; // Searching for rootCert by subjectDN X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Subject = PrincipalUtilities.GetSubjectX509Principal(rootCert); IList certs = new ArrayList(certStore.GetMatches(targetConstraints)); if (certs.Count != 1 || !certs.Contains(rootCert)) { Fail("rootCert not found by subjectDN"); } // Searching for rootCert by subjectDN encoded as byte targetConstraints = new X509CertStoreSelector(); targetConstraints.Subject = PrincipalUtilities.GetSubjectX509Principal(rootCert); certs = new ArrayList(certStore.GetMatches(targetConstraints)); if (certs.Count != 1 || !certs.Contains(rootCert)) { Fail("rootCert not found by encoded subjectDN"); } X509Name.DefaultReverse = false; // Searching for rootCert by public key encoded as byte targetConstraints = new X509CertStoreSelector(); targetConstraints.SubjectPublicKey = SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(rootCert.GetPublicKey()); certs = new ArrayList(certStore.GetMatches(targetConstraints)); if (certs.Count != 1 || !certs.Contains(rootCert)) { Fail("rootCert not found by encoded public key"); } // Searching for interCert by issuerDN targetConstraints = new X509CertStoreSelector(); targetConstraints.Issuer = PrincipalUtilities.GetSubjectX509Principal(rootCert); certs = new ArrayList(certStore.GetMatches(targetConstraints)); if (certs.Count != 2) { Fail("did not found 2 certs"); } if (!certs.Contains(rootCert)) { Fail("rootCert not found"); } if (!certs.Contains(interCert)) { Fail("interCert not found"); } // Searching for rootCrl by issuerDN IList crlList = new ArrayList(); crlList.Add(rootCrl); crlList.Add(interCrl); IX509Store store = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); X509CrlStoreSelector targetConstraintsCRL = new X509CrlStoreSelector(); ArrayList issuers = new ArrayList(); issuers.Add(rootCrl.IssuerDN); targetConstraintsCRL.Issuers = issuers; IList crls = new ArrayList(store.GetMatches(targetConstraintsCRL)); if (crls.Count != 1 || !crls.Contains(rootCrl)) { Fail("rootCrl not found"); } crls = new ArrayList(certStore.GetMatches(targetConstraintsCRL)); if (crls.Count != 0) { Fail("error using wrong selector (CRL)"); } certs = new ArrayList(store.GetMatches(targetConstraints)); if (certs.Count != 0) { Fail("error using wrong selector (certs)"); } // Searching for attribute certificates X509V2AttributeCertificate attrCert = new X509V2AttributeCertificate(AttrCertTest.attrCert); IX509AttributeCertificate attrCert2 = new X509V2AttributeCertificate(AttrCertTest.certWithBaseCertificateID); IList attrList = new ArrayList(); attrList.Add(attrCert); attrList.Add(attrCert2); store = X509StoreFactory.Create( "AttributeCertificate/Collection", new X509CollectionStoreParameters(attrList)); X509AttrCertStoreSelector attrSelector = new X509AttrCertStoreSelector(); attrSelector.Holder = attrCert.Holder; if (!attrSelector.Holder.Equals(attrCert.Holder)) { Fail("holder get not correct"); } IList attrs = new ArrayList(store.GetMatches(attrSelector)); if (attrs.Count != 1 || !attrs.Contains(attrCert)) { Fail("attrCert not found on holder"); } attrSelector.Holder = attrCert2.Holder; if (attrSelector.Holder.Equals(attrCert.Holder)) { Fail("holder get not correct"); } attrs = new ArrayList(store.GetMatches(attrSelector)); if (attrs.Count != 1 || !attrs.Contains(attrCert2)) { Fail("attrCert2 not found on holder"); } attrSelector = new X509AttrCertStoreSelector(); attrSelector.Issuer = attrCert.Issuer; if (!attrSelector.Issuer.Equals(attrCert.Issuer)) { Fail("issuer get not correct"); } attrs = new ArrayList(store.GetMatches(attrSelector)); if (attrs.Count != 1 || !attrs.Contains(attrCert)) { Fail("attrCert not found on issuer"); } attrSelector.Issuer = attrCert2.Issuer; if (attrSelector.Issuer.Equals(attrCert.Issuer)) { Fail("issuer get not correct"); } attrs = new ArrayList(store.GetMatches(attrSelector)); if (attrs.Count != 1 || !attrs.Contains(attrCert2)) { Fail("attrCert2 not found on issuer"); } attrSelector = new X509AttrCertStoreSelector(); attrSelector.AttributeCert = attrCert; if (!attrSelector.AttributeCert.Equals(attrCert)) { Fail("attrCert get not correct"); } attrs = new ArrayList(store.GetMatches(attrSelector)); if (attrs.Count != 1 || !attrs.Contains(attrCert)) { Fail("attrCert not found on attrCert"); } attrSelector = new X509AttrCertStoreSelector(); attrSelector.SerialNumber = attrCert.SerialNumber; if (!attrSelector.SerialNumber.Equals(attrCert.SerialNumber)) { Fail("serial number get not correct"); } attrs = new ArrayList(store.GetMatches(attrSelector)); if (attrs.Count != 1 || !attrs.Contains(attrCert)) { Fail("attrCert not found on serial number"); } attrSelector = (X509AttrCertStoreSelector)attrSelector.Clone(); if (!attrSelector.SerialNumber.Equals(attrCert.SerialNumber)) { Fail("serial number get not correct"); } attrs = new ArrayList(store.GetMatches(attrSelector)); if (attrs.Count != 1 || !attrs.Contains(attrCert)) { Fail("attrCert not found on serial number"); } attrSelector = new X509AttrCertStoreSelector(); attrSelector.AttributeCertificateValid = new DateTimeObject(attrCert.NotBefore); if (attrSelector.AttributeCertificateValid.Value != attrCert.NotBefore) { Fail("valid get not correct"); } attrs = new ArrayList(store.GetMatches(attrSelector)); if (attrs.Count != 1 || !attrs.Contains(attrCert)) { Fail("attrCert not found on valid"); } attrSelector = new X509AttrCertStoreSelector(); attrSelector.AttributeCertificateValid = new DateTimeObject(attrCert.NotBefore.AddMilliseconds(-100)); attrs = new ArrayList(store.GetMatches(attrSelector)); if (attrs.Count != 0) { Fail("attrCert found on before"); } attrSelector.AttributeCertificateValid = new DateTimeObject(attrCert.NotAfter.AddMilliseconds(100)); attrs = new ArrayList(store.GetMatches(attrSelector)); if (attrs.Count != 0) { Fail("attrCert found on after"); } attrSelector.SerialNumber = BigInteger.ValueOf(10000); attrs = new ArrayList(store.GetMatches(attrSelector)); if (attrs.Count != 0) { Fail("attrCert found on wrong serial number"); } attrSelector.AttributeCert = null; attrSelector.AttributeCertificateValid = null; attrSelector.Holder = null; attrSelector.Issuer = null; attrSelector.SerialNumber = null; if (attrSelector.AttributeCert != null) { Fail("null attrCert"); } if (attrSelector.AttributeCertificateValid != null) { Fail("null attrCertValid"); } if (attrSelector.Holder != null) { Fail("null attrCert holder"); } if (attrSelector.Issuer != null) { Fail("null attrCert issuer"); } if (attrSelector.SerialNumber != null) { Fail("null attrCert serial"); } attrs = new ArrayList(certStore.GetMatches(attrSelector)); if (attrs.Count != 0) { Fail("error using wrong selector (attrs)"); } certPairTest(); }
//jbonilla - Por algún motivo, no devuleve el certificado root. public static X509Certificate[] BuildCertificateChainBC(X509Certificate checkCert, ICollection<X509Certificate> keystore) { PkixCertPathBuilder builder = new PkixCertPathBuilder(); // Separate root from itermediate List<X509Certificate> intermediateCerts = new List<X509Certificate>(); HashSet rootCerts = new HashSet(); foreach (X509Certificate cert in keystore) { // Separate root and subordinate certificates if (IsSelfSigned(cert)) rootCerts.Add(new TrustAnchor(cert, null)); else intermediateCerts.Add(cert); } // Create chain for this certificate X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = checkCert; // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); List<X509Certificate> chain = new List<X509Certificate>(); foreach(X509Certificate cert in result.CertPath.Certificates) { chain.Add(cert); } return chain.ToArray(); }
PkixCertPath BuildCertPath(HashSet anchors, IX509Store certificates, IX509Store crls, X509Certificate certificate, DateTime? signingTime) { var intermediate = new X509CertificateStore (); foreach (X509Certificate cert in certificates.GetMatches (null)) intermediate.Add (cert); var selector = new X509CertStoreSelector (); selector.Certificate = certificate; var parameters = new PkixBuilderParameters (anchors, selector); parameters.AddStore (GetIntermediateCertificates ()); parameters.AddStore (intermediate); var localCrls = GetCertificateRevocationLists (); parameters.AddStore (localCrls); parameters.AddStore (crls); // Note: we disable revocation unless we actually have non-empty revocation lists parameters.IsRevocationEnabled = localCrls.GetMatches (null).Count > 0; parameters.ValidityModel = PkixParameters.ChainValidityModel; if (signingTime.HasValue) parameters.Date = new DateTimeObject (signingTime.Value); var result = new PkixCertPathBuilder ().Build (parameters); return result.CertPath; }
private static X509CertStoreSelector CloneSelector( X509CertStoreSelector s) { return s == null ? null : (X509CertStoreSelector) s.Clone(); }
/// <summary> /// Search the given Set of TrustAnchor's for one that is the /// issuer of the given X509 certificate. /// </summary> /// <param name="cert">the X509 certificate</param> /// <param name="trustAnchors">a Set of TrustAnchor's</param> /// <returns>the <code>TrustAnchor</code> object if found or /// <code>null</code> if not. /// </returns> /// @exception internal static TrustAnchor FindTrustAnchor( X509Certificate cert, ISet trustAnchors) { IEnumerator iter = trustAnchors.GetEnumerator(); TrustAnchor trust = null; AsymmetricKeyParameter trustPublicKey = null; Exception invalidKeyEx = null; X509CertStoreSelector certSelectX509 = new X509CertStoreSelector(); try { certSelectX509.Subject = GetIssuerPrincipal(cert); } catch (IOException ex) { throw new Exception("Cannot set subject search criteria for trust anchor.", ex); } while (iter.MoveNext() && trust == null) { trust = (TrustAnchor) iter.Current; if (trust.TrustedCert != null) { if (certSelectX509.Match(trust.TrustedCert)) { trustPublicKey = trust.TrustedCert.GetPublicKey(); } else { trust = null; } } else if (trust.CAName != null && trust.CAPublicKey != null) { try { X509Name certIssuer = GetIssuerPrincipal(cert); X509Name caName = new X509Name(trust.CAName); if (certIssuer.Equivalent(caName, true)) { trustPublicKey = trust.CAPublicKey; } else { trust = null; } } catch (InvalidParameterException) { trust = null; } } else { trust = null; } if (trustPublicKey != null) { try { cert.Verify(trustPublicKey); } catch (Exception ex) { invalidKeyEx = ex; trust = null; } } } if (trust == null && invalidKeyEx != null) { throw new Exception("TrustAnchor found but certificate validation failed.", invalidKeyEx); } return trust; }
/** * Searches for a holder public key certificate and verifies its * certification path. * * @param attrCert the attribute certificate. * @param pkixParams The PKIX parameters. * @return The certificate path of the holder certificate. * @throws Exception if * <ul> * <li>no public key certificate can be found although holder * information is given by an entity name or a base certificate * ID</li> * <li>support classes cannot be created</li> * <li>no certification path for the public key certificate can * be built</li> * </ul> */ internal static PkixCertPath ProcessAttrCert1( IX509AttributeCertificate attrCert, PkixParameters pkixParams) { PkixCertPathBuilderResult result = null; // find holder PKCs ISet holderPKCs = new HashSet(); if (attrCert.Holder.GetIssuer() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.SerialNumber = attrCert.Holder.SerialNumber; X509Name[] principals = attrCert.Holder.GetIssuer(); for (int i = 0; i < principals.Length; i++) { try { // if (principals[i] is X500Principal) { selector.Issuer = principals[i]; } holderPKCs.AddAll(PkixCertPathValidatorUtilities .FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (holderPKCs.IsEmpty) { throw new PkixCertPathValidatorException( "Public key certificate specified in base certificate ID for attribute certificate cannot be found."); } } if (attrCert.Holder.GetEntityNames() != null) { X509CertStoreSelector selector = new X509CertStoreSelector(); X509Name[] principals = attrCert.Holder.GetEntityNames(); for (int i = 0; i < principals.Length; i++) { try { // if (principals[i] is X500Principal) { selector.Issuer = principals[i]; } holderPKCs.AddAll(PkixCertPathValidatorUtilities .FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathValidatorException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (holderPKCs.IsEmpty) { throw new PkixCertPathValidatorException( "Public key certificate specified in entity name for attribute certificate cannot be found."); } } // verify cert paths for PKCs PkixBuilderParameters parameters = (PkixBuilderParameters) PkixBuilderParameters.GetInstance(pkixParams); PkixCertPathValidatorException lastException = null; foreach (X509Certificate cert in holderPKCs) { X509CertStoreSelector selector = new X509CertStoreSelector(); selector.Certificate = cert; parameters.SetTargetConstraints(selector); PkixCertPathBuilder builder = new PkixCertPathBuilder(); try { result = builder.Build(PkixBuilderParameters.GetInstance(parameters)); } catch (PkixCertPathBuilderException e) { lastException = new PkixCertPathValidatorException( "Certification path for public key certificate of attribute certificate could not be build.", e); } } if (lastException != null) { throw lastException; } return result.CertPath; }
private X509CertPairStoreSelector(X509CertPairStoreSelector o) { this.certPair = o.CertPair; this.forwardSelector = o.ForwardSelector; this.reverseSelector = o.ReverseSelector; }
/** * Build and validate a CertPath using the given parameter. * * @param params PKIXBuilderParameters object containing all information to * build the CertPath */ public virtual PkixCertPathBuilderResult Build( PkixBuilderParameters pkixParams) { // search target certificates IX509Selector certSelect = pkixParams.GetTargetConstraints(); if (!(certSelect is X509AttrCertStoreSelector)) { throw new PkixCertPathBuilderException( "TargetConstraints must be an instance of " + typeof(X509AttrCertStoreSelector).FullName + " for " + typeof(PkixAttrCertPathBuilder).FullName + " class."); } ICollection targets; try { targets = PkixCertPathValidatorUtilities.FindCertificates( (X509AttrCertStoreSelector)certSelect, pkixParams.GetStores()); } catch (Exception e) { throw new PkixCertPathBuilderException("Error finding target attribute certificate.", e); } if (targets.Count == 0) { throw new PkixCertPathBuilderException( "No attribute certificate found matching targetContraints."); } PkixCertPathBuilderResult result = null; // check all potential target certificates foreach (IX509AttributeCertificate cert in targets) { X509CertStoreSelector selector = new X509CertStoreSelector(); X509Name[] principals = cert.Issuer.GetPrincipals(); ISet issuers = new HashSet(); for (int i = 0; i < principals.Length; i++) { try { selector.Subject = principals[i]; issuers.AddAll(PkixCertPathValidatorUtilities.FindCertificates(selector, pkixParams.GetStores())); } catch (Exception e) { throw new PkixCertPathBuilderException( "Public key certificate for attribute certificate cannot be searched.", e); } } if (issuers.IsEmpty) throw new PkixCertPathBuilderException("Public key certificate for attribute certificate cannot be found."); IList certPathList = Platform.CreateArrayList(); foreach (X509Certificate issuer in issuers) { result = Build(cert, issuer, pkixParams, certPathList); if (result != null) break; } if (result != null) break; } if (result == null && certPathException != null) { throw new PkixCertPathBuilderException( "Possible certificate chain could not be validated.", certPathException); } if (result == null && certPathException == null) { throw new PkixCertPathBuilderException( "Unable to find certificate chain."); } return result; }
public virtual bool Match(object obj) { X509Certificate x509Certificate = obj as X509Certificate; if (x509Certificate == null) { return(false); } if (!X509CertStoreSelector.MatchExtension(this.authorityKeyIdentifier, x509Certificate, X509Extensions.AuthorityKeyIdentifier)) { return(false); } if (this.basicConstraints != -1) { int num = x509Certificate.GetBasicConstraints(); if (this.basicConstraints == -2) { if (num != -1) { return(false); } } else if (num < this.basicConstraints) { return(false); } } if (this.certificate != null && !this.certificate.Equals(x509Certificate)) { return(false); } if (this.certificateValid != null && !x509Certificate.IsValid(this.certificateValid.Value)) { return(false); } if (this.extendedKeyUsage != null) { IList list = x509Certificate.GetExtendedKeyUsage(); if (list != null) { foreach (DerObjectIdentifier derObjectIdentifier in this.extendedKeyUsage) { if (!list.Contains(derObjectIdentifier.Id)) { return(false); } } } } if (this.issuer != null && !this.issuer.Equivalent(x509Certificate.IssuerDN, true)) { return(false); } if (this.keyUsage != null) { bool[] array = x509Certificate.GetKeyUsage(); if (array != null) { for (int i = 0; i < 9; i++) { if (this.keyUsage[i] && !array[i]) { return(false); } } } } if (this.policy != null) { Asn1OctetString extensionValue = x509Certificate.GetExtensionValue(X509Extensions.CertificatePolicies); if (extensionValue == null) { return(false); } Asn1Sequence instance = Asn1Sequence.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue)); if (this.policy.Count < 1 && instance.Count < 1) { return(false); } bool flag = false; foreach (PolicyInformation policyInformation in instance) { if (this.policy.Contains(policyInformation.PolicyIdentifier)) { flag = true; break; } } if (!flag) { return(false); } } if (this.privateKeyValid != null) { Asn1OctetString extensionValue2 = x509Certificate.GetExtensionValue(X509Extensions.PrivateKeyUsagePeriod); if (extensionValue2 == null) { return(false); } PrivateKeyUsagePeriod instance2 = PrivateKeyUsagePeriod.GetInstance(X509ExtensionUtilities.FromExtensionValue(extensionValue2)); DateTime value = this.privateKeyValid.Value; DateTime value2 = instance2.NotAfter.ToDateTime(); DateTime value3 = instance2.NotBefore.ToDateTime(); if (value.CompareTo(value2) > 0 || value.CompareTo(value3) < 0) { return(false); } } return((this.serialNumber == null || this.serialNumber.Equals(x509Certificate.SerialNumber)) && (this.subject == null || this.subject.Equivalent(x509Certificate.SubjectDN, true)) && X509CertStoreSelector.MatchExtension(this.subjectKeyIdentifier, x509Certificate, X509Extensions.SubjectKeyIdentifier) && (this.subjectPublicKey == null || this.subjectPublicKey.Equals(X509CertStoreSelector.GetSubjectPublicKey(x509Certificate))) && (this.subjectPublicKeyAlgID == null || this.subjectPublicKeyAlgID.Equals(X509CertStoreSelector.GetSubjectPublicKey(x509Certificate).AlgorithmID))); }
private void doTestExceptions() { byte[] enc = { (byte)0, (byte)2, (byte)3, (byte)4, (byte)5 }; // MyCertPath mc = new MyCertPath(enc); MemoryStream os = new MemoryStream(); MemoryStream ins; byte[] arr; // TODO Support serialization of cert paths? // ObjectOutputStream oos = new ObjectOutputStream(os); // oos.WriteObject(mc); // oos.Flush(); // oos.Close(); try { // CertificateFactory cFac = CertificateFactory.GetInstance("X.509"); arr = os.ToArray(); ins = new MemoryStream(arr, false); // cFac.generateCertPath(ins); new PkixCertPath(ins); } catch (CertificateException) { // ignore okay } // CertificateFactory cf = CertificateFactory.GetInstance("X.509"); X509CertificateParser cf = new X509CertificateParser(); IList certCol = new ArrayList(); certCol.Add(cf.ReadCertificate(certA)); certCol.Add(cf.ReadCertificate(certB)); certCol.Add(cf.ReadCertificate(certC)); certCol.Add(cf.ReadCertificate(certD)); // CertPathBuilder pathBuilder = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder pathBuilder = new PkixCertPathBuilder(); X509CertStoreSelector select = new X509CertStoreSelector(); select.Subject = ((X509Certificate)certCol[0]).SubjectDN; ISet trustanchors = new HashSet(); trustanchors.Add(new TrustAnchor(cf.ReadCertificate(rootCertBin), null)); // CertStore certStore = CertStore.getInstance("Collection", new CollectionCertStoreParameters(certCol)); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certCol)); PkixBuilderParameters parameters = new PkixBuilderParameters(trustanchors, select); parameters.AddStore(x509CertStore); try { PkixCertPathBuilderResult result = pathBuilder.Build(parameters); PkixCertPath path = result.CertPath; Fail("found cert path in circular set"); } catch (PkixCertPathBuilderException) { // expected } }
/// <summary> /// Gets the trusted anchors. /// </summary> /// <remarks> /// A trusted anchor is a trusted root-level X.509 certificate, /// generally issued by a Certificate Authority (CA). /// </remarks> /// <returns>The trusted anchors.</returns> protected override Org.BouncyCastle.Utilities.Collections.HashSet GetTrustedAnchors () { var anchors = new Org.BouncyCastle.Utilities.Collections.HashSet (); var selector = new X509CertStoreSelector (); var keyUsage = new bool[9]; keyUsage[(int) X509KeyUsageBits.KeyCertSign] = true; selector.KeyUsage = keyUsage; foreach (var record in dbase.Find (selector, true, X509CertificateRecordFields.Certificate)) { anchors.Add (new TrustAnchor (record.Certificate, null)); } return anchors; }
static IEnumerable<Org.BouncyCastle.X509.X509Certificate> BuildCertificateChainBC(byte[] primary, IEnumerable<byte[]> additional) { X509CertificateParser parser = new X509CertificateParser(); PkixCertPathBuilder builder = new PkixCertPathBuilder(); // Separate root from itermediate var intermediateCerts = new List<Org.BouncyCastle.X509.X509Certificate>(); HashSet rootCerts = new HashSet(); foreach (byte[] cert in additional) { var x509Cert = parser.ReadCertificate(cert); // Separate root and subordinate certificates if (x509Cert.IssuerDN.Equivalent(x509Cert.SubjectDN)) rootCerts.Add(new TrustAnchor(x509Cert, null)); else intermediateCerts.Add(x509Cert); } // Create chain for this certificate X509CertStoreSelector holder = new X509CertStoreSelector(); holder.Certificate = parser.ReadCertificate(primary); // WITHOUT THIS LINE BUILDER CANNOT BEGIN BUILDING THE CHAIN intermediateCerts.Add(holder.Certificate); PkixBuilderParameters builderParams = new PkixBuilderParameters(rootCerts, holder); builderParams.IsRevocationEnabled = false; X509CollectionStoreParameters intermediateStoreParameters = new X509CollectionStoreParameters(intermediateCerts); builderParams.AddStore(X509StoreFactory.Create( "Certificate/Collection", intermediateStoreParameters)); PkixCertPathBuilderResult result = builder.Build(builderParams); return result.CertPath.Certificates.Cast<Org.BouncyCastle.X509.X509Certificate>(); }
private void Test(string _name, string[] _data, ISet _ipolset, bool _explicit, bool _accept, bool _debug) { testCount++; bool _pass = true; try { // CertPathBuilder _cpb = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder _cpb = new PkixCertPathBuilder(); X509Certificate _ee = DecodeCertificate(_data[_data.Length - 1]); X509CertStoreSelector _select = new X509CertStoreSelector(); _select.Subject = _ee.SubjectDN; IX509Store certStore, crlStore; MakeCertStore(_data, out certStore, out crlStore); PkixBuilderParameters _param = new PkixBuilderParameters( trustedSet, _select); _param.IsExplicitPolicyRequired = _explicit; _param.AddStore(certStore); _param.AddStore(crlStore); _param.IsRevocationEnabled = true; if (_ipolset != null) { _param.SetInitialPolicies(_ipolset); } PkixCertPathBuilderResult _result = _cpb.Build(_param); if (!_accept) { _pass = false; testFail.Add(_name); } } catch (Exception) { if (_accept) { _pass = false; testFail.Add(_name); } } resultBuf.Append("NISTCertPathTest -- ").Append(_name).Append(": ") .Append(_pass ? "\n" : "Failed.\n"); }
/** * Find the issuer certificates of a given certificate. * * @param cert * The certificate for which an issuer should be found. * @param pkixParams * @return A <code>Collection</code> object containing the issuer * <code>X509Certificate</code>s. Never <code>null</code>. * * @exception Exception * if an error occurs. */ internal static ICollection FindIssuerCerts( X509Certificate cert, PkixBuilderParameters pkixParams) { X509CertStoreSelector certSelect = new X509CertStoreSelector(); ISet certs = new HashSet(); try { certSelect.Subject = cert.IssuerDN; } catch (IOException ex) { throw new Exception( "Subject criteria for certificate selector to find issuer certificate could not be set.", ex); } try { certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetStores())); certs.AddAll(PkixCertPathValidatorUtilities.FindCertificates(certSelect, pkixParams.GetAdditionalStores())); } catch (Exception e) { throw new Exception("Issuer certificate cannot be searched.", e); } return certs; }
private static IReadOnlyCollection<X509Certificate> GetChain([NotNull] X509Certificate cert, [CanBeNull] IReadOnlyList<X509Certificate> certs) { var certList = new List<X509Certificate>(); if (certs != null) certList.AddRange(certs); certList.Add(cert); var certStore = X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(certList)); var rootCerts = certs.Where(IsSelfSigned).ToList(); var trustAnchors = rootCerts.Select(x => new TrustAnchor(x, null)); var trust = new HashSet(trustAnchors); var cpb = new PkixCertPathBuilder(); var targetConstraints = new X509CertStoreSelector() { Certificate = cert, }; var parameters = new PkixBuilderParameters(trust, targetConstraints) { IsRevocationEnabled = false, }; parameters.AddStore(certStore); var cpbResult = cpb.Build(parameters); var result = new List<X509Certificate>(); result.AddRange(cpbResult.CertPath.Certificates.Cast<X509Certificate>()); result.Add(cpbResult.TrustAnchor.TrustedCert); return result; }
/// <summary> /// Return a Collection of all certificates or attribute certificates found /// in the X509Store's that are matching the certSelect criteriums. /// </summary> /// <param name="certSelect">a {@link Selector} object that will be used to select /// the certificates</param> /// <param name="certStores">a List containing only X509Store objects. These /// are used to search for certificates.</param> /// <returns>a Collection of all found <see cref="X509Certificate"/> or /// <see cref="Org.BouncyCastle.X509.IX509AttributeCertificate"/> objects. /// May be empty but never <code>null</code>.</returns> /// <exception cref="Exception"></exception> internal static ICollection FindCertificates( X509CertStoreSelector certSelect, IList certStores) { ISet certs = new HashSet(); foreach (IX509Store certStore in certStores) { try { // certs.AddAll(certStore.GetMatches(certSelect)); foreach (X509Certificate c in certStore.GetMatches(certSelect)) { certs.Add(c); } } catch (Exception e) { throw new Exception("Problem while picking certificates from X.509 store.", e); } } return certs; }
/// <summary> /// Builds certification path for provided signing certificate /// </summary> /// <param name="signingCertificate">Signing certificate</param> /// <param name="otherCertificates">Other certificates that should be used in path building process. Self-signed certificates from this list are used as trust anchors.</param> /// <param name="includeRoot">Flag indicating whether root certificate should be included int the certification path.</param> /// <returns>Certification path for provided signing certificate</returns> public static ICollection<BCX509.X509Certificate> BuildCertPath(byte[] signingCertificate, List<byte[]> otherCertificates, bool includeRoot) { if (signingCertificate == null) throw new ArgumentNullException("signingCertificate"); List<BCX509.X509Certificate> result = new List<BCX509.X509Certificate>(); BCX509.X509Certificate signingCert = ToBouncyCastleObject(signingCertificate); BCCollections.ISet trustAnchors = new BCCollections.HashSet(); List<BCX509.X509Certificate> otherCerts = new List<BCX509.X509Certificate>(); if (IsSelfSigned(signingCert)) { if (includeRoot) result.Add(signingCert); } else { otherCerts.Add(signingCert); if (otherCertificates != null) { foreach (byte[] otherCertificate in otherCertificates) { BCX509.X509Certificate otherCert = ToBouncyCastleObject(otherCertificate); otherCerts.Add(ToBouncyCastleObject(otherCertificate)); if (IsSelfSigned(otherCert)) trustAnchors.Add(new TrustAnchor(otherCert, null)); } } if (trustAnchors.Count < 1) throw new PkixCertPathBuilderException("Provided certificates do not contain self-signed root certificate"); X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Certificate = signingCert; PkixBuilderParameters certPathBuilderParameters = new PkixBuilderParameters(trustAnchors, targetConstraints); certPathBuilderParameters.AddStore(X509StoreFactory.Create("Certificate/Collection", new X509CollectionStoreParameters(otherCerts))); certPathBuilderParameters.IsRevocationEnabled = false; PkixCertPathBuilder certPathBuilder = new PkixCertPathBuilder(); PkixCertPathBuilderResult certPathBuilderResult = certPathBuilder.Build(certPathBuilderParameters); foreach (BCX509.X509Certificate certPathCert in certPathBuilderResult.CertPath.Certificates) result.Add(certPathCert); if (includeRoot) result.Add(certPathBuilderResult.TrustAnchor.TrustedCert); } return result; }
/// <summary> /// Validates the cert with the provided ocsp responses. /// </summary> /// <param name="certificate">The cert to validate</param> /// <param name="issuer">The issuer of the cert to validate</param> /// <param name="validationTime">The time on which the cert was needed to validated</param> /// <param name="ocspResponses">The list of ocsp responses to use</param> /// <returns>The OCSP response that was used, <c>null</c> if none was found</returns> /// <exception cref="RevocationException{T}">When the certificate was revoked on the provided time</exception> /// <exception cref="RevocationUnknownException">When the certificate (or the OCSP) can't be validated</exception> public static BCAO.BasicOcspResponse Verify(this X509Certificate2 certificate, X509Certificate2 issuer, DateTime validationTime, IList <BCAO.BasicOcspResponse> ocspResponses) { DateTime minTime = validationTime - ClockSkewness; DateTime maxTime = validationTime + ClockSkewness; BCX.X509Certificate certificateBC = DotNetUtilities.FromX509Certificate(certificate); BCX.X509Certificate issuerBC = DotNetUtilities.FromX509Certificate(issuer); ValueWithRef <BCO.SingleResp, ValueWithRef <BCO.BasicOcspResp, BCAO.BasicOcspResponse> > singleOcspRespLeaf = ocspResponses .Select((rsp) => new ValueWithRef <BCO.BasicOcspResp, BCAO.BasicOcspResponse>(new BCO.BasicOcspResp(rsp), rsp)) //convert, but keep the original .SelectMany((r) => r.Value.Responses.Select(sr => new ValueWithRef <BCO.SingleResp, ValueWithRef <BCO.BasicOcspResp, BCAO.BasicOcspResponse> >(sr, r))) //get the single respononses, but keep the parent .Where((sr) => sr.Value.GetCertID().SerialNumber.Equals(certificateBC.SerialNumber) && sr.Value.GetCertID().MatchesIssuer(issuerBC)) //is it for this cert? .Where((sr) => sr.Value.ThisUpdate >= minTime || (sr.Value.NextUpdate != null && sr.Value.NextUpdate.Value >= minTime)) //was it issued on time? .OrderByDescending((sr) => sr.Value.ThisUpdate) //newest first .FirstOrDefault(); if (singleOcspRespLeaf == null) { return(null); } BCO.SingleResp singleOcspResp = singleOcspRespLeaf.Value; BCO.BasicOcspResp basicOcspResp = singleOcspRespLeaf.Reference.Value; BCAO.BasicOcspResponse basicOcspResponse = singleOcspRespLeaf.Reference.Reference; //get the signer name BCAX.X509Name responderName = basicOcspResp.ResponderId.ToAsn1Object().Name; if (responderName == null) { trace.TraceEvent(TraceEventType.Error, 0, "OCSP response for {0} does not have a ResponderID", certificate.Subject); throw new RevocationUnknownException("OCSP response for {0} does not have a ResponderID"); } //Get the signer certificate var selector = new BCS.X509CertStoreSelector(); selector.Subject = responderName; BCX.X509Certificate ocspSignerBc = (BCX.X509Certificate)basicOcspResp .GetCertificates("Collection").GetMatches(selector) .Cast <BCX.X509Certificate>().FirstOrDefault(); if (ocspSignerBc == null) { throw new RevocationUnknownException("The OCSP is signed by a unknown certificate"); } //verify the response signature if (!basicOcspResp.Verify(ocspSignerBc.GetPublicKey())) { throw new RevocationUnknownException("The OCSP has an invalid signature"); } //OCSP must be issued by same issuer an the certificate that it validates. try { if (!ocspSignerBc.IssuerDN.Equals(issuerBC.SubjectDN)) { throw new ApplicationException(); } ocspSignerBc.Verify(issuerBC.GetPublicKey()); } catch (Exception e) { throw new RevocationUnknownException("The OCSP signer was not issued by the proper CA", e); } //verify if the OCSP signer certificate is stil valid if (!ocspSignerBc.IsValid(basicOcspResp.ProducedAt)) { throw new RevocationUnknownException("The OCSP signer was not valid at the time the ocsp was issued"); } //check if the signer may issue OCSP IList ocspSignerExtKeyUsage = ocspSignerBc.GetExtendedKeyUsage(); if (!ocspSignerExtKeyUsage.Contains("1.3.6.1.5.5.7.3.9")) { throw new RevocationUnknownException("The OCSP is signed by a certificate that isn't allowed to sign OCSP"); } //finally, check if the certificate is revoked or not var revokedStatus = (BCO.RevokedStatus)singleOcspResp.GetCertStatus(); if (revokedStatus != null) { trace.TraceEvent(TraceEventType.Verbose, 0, "OCSP response for {0} indicates that the certificate is revoked on {1}", certificate.Subject, revokedStatus.RevocationTime); if (maxTime >= revokedStatus.RevocationTime) { throw new RevocationException <BCAO.BasicOcspResponse>(basicOcspResponse, "The certificate was revoked on " + revokedStatus.RevocationTime.ToString("o")); } } return(basicOcspResponse); }
private string TestPolicies( int index, X509Certificate trustCert, X509Certificate intCert, X509Certificate endCert, ISet requirePolicies, bool okay) { ISet trust = new HashSet(); trust.Add(new TrustAnchor(trustCert, null)); X509CertStoreSelector targetConstraints = new X509CertStoreSelector(); targetConstraints.Subject = endCert.SubjectDN; PkixBuilderParameters pbParams = new PkixBuilderParameters(trust, targetConstraints); ISet certs = new HashSet(); certs.Add(intCert); certs.Add(endCert); IX509Store store = X509StoreFactory.Create( "CERTIFICATE/COLLECTION", new X509CollectionStoreParameters(certs)); pbParams.AddStore(store); pbParams.IsRevocationEnabled = false; if (requirePolicies != null) { pbParams.IsExplicitPolicyRequired = true; pbParams.SetInitialPolicies(requirePolicies); } // CertPathBuilder cpb = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder cpb = new PkixCertPathBuilder(); PkixCertPathBuilderResult result = null; try { result = (PkixCertPathBuilderResult)cpb.Build(pbParams); if (!okay) { Fail(index + ": path validated when failure expected."); } // if (result.getPolicyTree() != null) // { // Console.WriteLine("OK"); // Console.WriteLine("policy: " + result.getPolicyTree()); // } // else // { // Console.WriteLine("OK: policy tree = null"); // } return ""; } catch (TestFailedException e) { throw e; } catch (Exception e) { if (okay) { Fail(index + ": path failed to validate when success expected."); } Exception ee = e.InnerException; if (ee != null) { return ee.Message; } return e.Message; } }
/** * Obtain and validate the certification path for the complete CRL issuer. * If a key usage extension is present in the CRL issuer's certificate, * verify that the cRLSign bit is set. * * @param crl CRL which contains revocation information for the certificate * <code>cert</code>. * @param cert The attribute certificate or certificate to check if it is * revoked. * @param defaultCRLSignCert The issuer certificate of the certificate <code>cert</code>. * @param defaultCRLSignKey The public key of the issuer certificate * <code>defaultCRLSignCert</code>. * @param paramsPKIX paramsPKIX PKIX parameters. * @param certPathCerts The certificates on the certification path. * @return A <code>Set</code> with all keys of possible CRL issuer * certificates. * @throws AnnotatedException if the CRL is not valid or the status cannot be checked or * some error occurs. */ internal static ISet ProcessCrlF( X509Crl crl, object cert, X509Certificate defaultCRLSignCert, AsymmetricKeyParameter defaultCRLSignKey, PkixParameters paramsPKIX, IList certPathCerts) { // (f) // get issuer from CRL X509CertStoreSelector selector = new X509CertStoreSelector(); try { selector.Subject = crl.IssuerDN; } catch (IOException e) { throw new Exception( "Subject criteria for certificate selector to find issuer certificate for CRL could not be set.", e); } // get CRL signing certs IList coll = Platform.CreateArrayList(); try { CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetStores())); CollectionUtilities.AddRange(coll, PkixCertPathValidatorUtilities.FindCertificates(selector, paramsPKIX.GetAdditionalStores())); } catch (Exception e) { throw new Exception("Issuer certificate for CRL cannot be searched.", e); } coll.Add(defaultCRLSignCert); IEnumerator cert_it = coll.GetEnumerator(); IList validCerts = Platform.CreateArrayList(); IList validKeys = Platform.CreateArrayList(); while (cert_it.MoveNext()) { X509Certificate signingCert = (X509Certificate)cert_it.Current; /* * CA of the certificate, for which this CRL is checked, has also * signed CRL, so skip the path validation, because is already done */ if (signingCert.Equals(defaultCRLSignCert)) { validCerts.Add(signingCert); validKeys.Add(defaultCRLSignKey); continue; } try { // CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder builder = new PkixCertPathBuilder(); selector = new X509CertStoreSelector(); selector.Certificate = signingCert; PkixParameters temp = (PkixParameters)paramsPKIX.Clone(); temp.SetTargetCertConstraints(selector); PkixBuilderParameters parameters = (PkixBuilderParameters) PkixBuilderParameters.GetInstance(temp); /* * if signingCert is placed not higher on the cert path a * dependency loop results. CRL for cert is checked, but * signingCert is needed for checking the CRL which is dependent * on checking cert because it is higher in the cert path and so * signing signingCert transitively. so, revocation is disabled, * forgery attacks of the CRL are detected in this outer loop * for all other it must be enabled to prevent forgery attacks */ if (certPathCerts.Contains(signingCert)) { parameters.IsRevocationEnabled = false; } else { parameters.IsRevocationEnabled = true; } IList certs = builder.Build(parameters).CertPath.Certificates; validCerts.Add(signingCert); validKeys.Add(PkixCertPathValidatorUtilities.GetNextWorkingKey(certs, 0)); } catch (PkixCertPathBuilderException e) { throw new Exception("Internal error.", e); } catch (PkixCertPathValidatorException e) { throw new Exception("Public key of issuer certificate of CRL could not be retrieved.", e); } //catch (Exception e) //{ // throw new Exception(e.Message); //} } ISet checkKeys = new HashSet(); Exception lastException = null; for (int i = 0; i < validCerts.Count; i++) { X509Certificate signCert = (X509Certificate)validCerts[i]; bool[] keyusage = signCert.GetKeyUsage(); if (keyusage != null && (keyusage.Length < 7 || !keyusage[CRL_SIGN])) { lastException = new Exception( "Issuer certificate key usage extension does not permit CRL signing."); } else { checkKeys.Add(validKeys[i]); } } if ((checkKeys.Count == 0) && lastException == null) { throw new Exception("Cannot find a valid issuer certificate."); } if ((checkKeys.Count == 0) && lastException != null) { throw lastException; } return checkKeys; }
private PkixCertPathBuilderResult doBuilderTest( string trustAnchor, string[] certs, string[] crls, ISet initialPolicies, bool policyMappingInhibited, bool anyPolicyInhibited) { ISet trustedSet = new HashSet(); trustedSet.Add(GetTrustAnchor(trustAnchor)); IList x509Certs = new ArrayList(); IList x509Crls = new ArrayList(); X509Certificate endCert = LoadCert(certs[certs.Length - 1]); for (int i = 0; i != certs.Length - 1; i++) { x509Certs.Add(LoadCert(certs[i])); } x509Certs.Add(endCert); for (int i = 0; i != crls.Length; i++) { x509Crls.Add(LoadCrl(crls[i])); } IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(x509Certs)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(x509Crls)); // CertPathBuilder builder = CertPathBuilder.GetInstance("PKIX"); PkixCertPathBuilder builder = new PkixCertPathBuilder(); X509CertStoreSelector endSelector = new X509CertStoreSelector(); endSelector.Certificate = endCert; PkixBuilderParameters builderParams = new PkixBuilderParameters(trustedSet, endSelector); if (initialPolicies != null) { builderParams.SetInitialPolicies(initialPolicies); builderParams.IsExplicitPolicyRequired = true; } if (policyMappingInhibited) { builderParams.IsPolicyMappingInhibited = policyMappingInhibited; } if (anyPolicyInhibited) { builderParams.IsAnyPolicyInhibited = anyPolicyInhibited; } builderParams.AddStore(x509CertStore); builderParams.AddStore(x509CrlStore); // Perform validation as of this date since test certs expired builderParams.Date = new DateTimeObject(DateTime.Parse("1/1/2011")); try { return (PkixCertPathBuilderResult) builder.Build(builderParams); } catch (PkixCertPathBuilderException e) { throw e.InnerException; } }
private void v0Test() { // create certificates and CRLs AsymmetricCipherKeyPair rootPair = TestUtilities.GenerateRsaKeyPair(); AsymmetricCipherKeyPair interPair = TestUtilities.GenerateRsaKeyPair(); AsymmetricCipherKeyPair endPair = TestUtilities.GenerateRsaKeyPair(); X509Certificate rootCert = TestUtilities.GenerateRootCert(rootPair); X509Certificate interCert = TestUtilities.GenerateIntermediateCert(interPair.Public, rootPair.Private, rootCert); X509Certificate endCert = TestUtilities.GenerateEndEntityCert(endPair.Public, interPair.Private, interCert); BigInteger revokedSerialNumber = BigInteger.Two; X509Crl rootCRL = TestUtilities.CreateCrl(rootCert, rootPair.Private, revokedSerialNumber); X509Crl interCRL = TestUtilities.CreateCrl(interCert, interPair.Private, revokedSerialNumber); // create CertStore to support path building IList certList = new ArrayList(); certList.Add(rootCert); certList.Add(interCert); certList.Add(endCert); IList crlList = new ArrayList(); crlList.Add(rootCRL); crlList.Add(interCRL); // CollectionCertStoreParameters parameters = new CollectionCertStoreParameters(list); // CertStore store = CertStore.getInstance("Collection", parameters); IX509Store x509CertStore = X509StoreFactory.Create( "Certificate/Collection", new X509CollectionStoreParameters(certList)); IX509Store x509CrlStore = X509StoreFactory.Create( "CRL/Collection", new X509CollectionStoreParameters(crlList)); ISet trust = new HashSet(); trust.Add(new TrustAnchor(rootCert, null)); // build the path // CertPathBuilder builder = CertPathBuilder.getInstance("PKIX", "BC"); PkixCertPathBuilder builder = new PkixCertPathBuilder(); X509CertStoreSelector pathConstraints = new X509CertStoreSelector(); pathConstraints.Subject = endCert.SubjectDN; PkixBuilderParameters buildParams = new PkixBuilderParameters(trust, pathConstraints); // buildParams.addCertStore(store); buildParams.AddStore(x509CertStore); buildParams.AddStore(x509CrlStore); buildParams.Date = new DateTimeObject(DateTime.UtcNow); PkixCertPathBuilderResult result = builder.Build(buildParams); PkixCertPath path = result.CertPath; if (path.Certificates.Count != 2) { Fail("wrong number of certs in v0Test path"); } }
private X509CertPairStoreSelector(X509CertPairStoreSelector o) { certPair = o.CertPair; forwardSelector = o.ForwardSelector; reverseSelector = o.ReverseSelector; }